On Mon, Apr 15, 2002 at 05:17:29PM -0400, Perry E. Metzger wrote:
>
> Blair Zajac <blair@orcaware.com> writes:
> > ssh -L20123:localhost:888 username@svn.repository.org sleep 100000000
> >
> > And then access svn through the URL
> >
> > http://localhost:20123/
> >
> > The -L sets up an SSH port forward.
> >
> > You need some command on the remote system to keep ssh the ssh connection
> > alive, hence the sleep.
>
> You are supposed to use -N for that. You don't in fact need a command
> on the remote system.
Well, the specific option depends on the ssh implementation. :-)
>
> What I'm really looking for is a way to do this such that we can
> configure the proxies in the client and the localhost:20123 thing can
> get papered over (as well as having to explicitly start ssh for this.)
>
You're leaving out that CVS_RSH=ssh does not create an unathenticated
tunnel from a potentially untrusted environment into the trusted one.
While you're doing your "svn up" over a port-forwarded tunnel, an
attacker can utilize the same channel to their own nefarious ends.
SSL solves this problem. So would an in-band ssh connection, like
CVS_RSH's.
If SSL isn't an option, and neither is enhancing neon to hide
the SSH part, the best I can come up with is "ra_ssh", which
would need some command-line support (in the same vein as
"cvs server"). This may be more trouble than it is worth.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 15 23:40:10 2002